Locking Your Shell

General Information

Often times we SSH into our BSD boxes and then have to leave our stations for a little bit. If we don’t do anything special with our open terminal, that poses a serious security threat to our boxes. Wouldn’t it be nice if we could just lock the open terminal without having to close the connection? Well, we can with a built-in utility called lock(8). There is also the vlock port that I will discuss as well.

Requirements

Local access on the box.

A SSH client such as puTTy or SecureCRT (if you are using it remotely).

lock

Once you issue lock, you will be prompted to enter the unlocking key, or passphrase. You will also notice that the lock will automatically timeout and unlock in 15 minutes. This is a security problem if you will be gone for more than 15 minutes. As with most commands, there are options you can tag onto the command to override the defaults. The default behavior of lock is to request an unlocking key and to timeout in 15 minutes. I like issuing

With these two options, there is no timeout and the key is your password from /etc/passwd.

If you looked at the manpages, you’d see there are four options for use with lock(8).

The following options are available:
-n Don't use a timeout value. Terminal will be locked forever.
-p A password is not requested, instead the user's current login
password is used.
-t timeout
The time limit (default 15 minutes) is changed to timeout min-
utes.
-v Disable switching virtual terminals while this terminal is
locked.

vlock

This second method uses the vlock port. I personally find it more attractive and simpler to use.

Installation

# cd /usr/ports/security/vlock
# make install distclean

If you don’t ever want to use lock(8) again, you can replace the file with a link to vlock.